[dm-crypt] Decrypt a volume without user intervention

Carlos E. R. robin.listas at telefonica.net
Wed Aug 23 15:33:32 CEST 2017


On 2017-08-23 10:32, Marco Cavallini wrote:
> 2017-08-22 17:09 GMT+02:00 Carlos E. R. <robin.listas at telefonica.net>:
> 
>>
>> I'm not a guru, but I do that easily.
>>
>> /etc/crypttab:
>>
>> cr_home     /dev/disk/by-id/something-part5 none       none
>> cr_two      /dev/disk/by-uuid/someuuid     /home/cer/Keys/the_two_keyfile    auto
>>
>> /etc/fstab:
>>
>> /dev/mapper/cr_home  /home        xfs     lazytime,,nofail                0 2
>> /dev/mapper/cr_two   /data/two    xfs     user,lazytime,exec,nofail       1 3
>>
>> "/data/two" is mounted automatically without asking for the passphrase, after home is mounted.
>> You should not have the key file available on a non-encrypted mount, of course. Or not one that is always available on the computer, or the thieves will open your files.
>>
> 
> 
> Hi Carlos,
> thank you for answering.
> With your procedure "/data/two" is mounted automatically because the
> passphrase is in /home but is expected to enter a passphrase to
> decrypt /home ?

Of course.

As I said, if the passfile is stored in the computer, it has to be
protected by another password, ie, encripted.

If the passfile is in the clear, it can not be stored in the computer.
It should be a removable device that is never kept with the computer.
Like a key you keep on a necklace.


You could keep the passfile encripted with GPG, and during boot somehow
generate another file in the clear that you store on a ramdisk, used to
decrypt the disk. You have to enter the GPP decryption key during boot
somehow.

-- 
Cheers / Saludos,

		Carlos E. R.
		(from 42.2 x86_64 "Malachite" at Telcontar)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20170823/db6aefc0/attachment.asc>


More information about the dm-crypt mailing list